Researchers detail Tetrade family of Brazilian banking trojans

Cybersecurity researchers from Kaspersky detailed four Brazilian banking trojans targeting financial institutions in Brazil, Latin America and Europe. Dubbed the Tetrade by researchers, the malware family includes Guildma, Javali, Melcoz and Grandoreiro banking trojans.

Per the report, Guildma has added a host of new features to its campaigns since its inception in 2015. By using phishing emails with compressed email attachments, Guildma can hide malicious payloads and HTML files designed to execute JavaScript code.

Once executed, Guildma downloads the HTML file and uses a legitimate command-line tool such as BITSAdmin to retrieve modules. Guildma also uses NTFS alternate data streams to conceal downloaded payloads and DLL search order hijacking to launch the malware.

Once installed, the final payload monitors for specific bank websites. When the victim opens a specific bank website, threat actors can then execute financial transactions using the victim's computer. Though Guildma has targeted banking users in Brazil in the past, the campaign has since broadened its reach by attacking banking users in Latin America.

Much like Guildma, Javali uses a multi-stage malware deployment process to dupe its victims. Using phishing emails to distribute its initial payload, Javali emails include a file for a Microsoft installer along with an embedded Visual Basic script that downloads the final malicious payload from a remote C2. By using DLL sideloading and obfuscation techniques, Javali can hide its malicious activities.

Melcoz, another trojan app within the Tetrade family, has been linked to a string of attacks in Chile and Mexico since 2018. A variant of the open-source RAT remote access PC, Melcoz uses VBS scripts in installer package files to download the malware and can steal passwords from a user’s memory and browser. It can also steal a user’s Bitcoin wallet and replace the user’s wallet information with hacker’s banking information.

Kaspersky researchers also identified Grandoreiro campaigns targeting Brazil, Mexico, Portugal and Spain since 2016. Hosted on Google Sites pages, Grandoreiro is delivered via compromised websites, Google ads or by using spear-phishing methods. Grandoreiro also uses a domain generation algorithm to hide the C2 address used during the attack.

“Just like Melcoz and Javali, Grandoreiro started to expand its attacks in Latin American and later in Europe with great success, focusing its efforts on evading detection by using modular installers,” said researchers.

“Among the four families we described, Grandoreiro is the most widespread globally. The malware enables attackers to perform fraudulent banking transactions by using the victims’ computers for bypassing security measures used by banking institutions,” they continued.

Guildma, Javali, Melcoz and Grandoreiro are all examples of Brazilian banking operations targeting users in multiple countries. Unfortunately, researchers predict these threats will continue to evolve and take on new targets in additional countries.